MoneyTaker hacking group stole 1 million US dollars from Russian PIR Bank
22.7.18 securityaffairs Incindent
The cybersecurity firm Group-IB is involved in the incident response on an attack on the Russian PIR Bank conducted by MoneyTaker hacking group.
MoneyTaker hacker group has stolen 1 million US dollars from the Russian bank, the cyber heist occurred on July 3 through the Russian Central Bank’s Automated Workstation Client (an interbank fund transfer system similar to SWIFT).
Crooks transferred the money to 17 accounts at major Russian banks and cashed out, then tried to ensure persistence in the bank’s network for later attacks. The bank hired Group-IB in order to respond to the incident and limit the damages.
According to Kommersant newspaper, the MoneyTaker hacking group stole around $920,000 (which is a conservative estimate) from the Russian bank. The PIR Bank officially confirmed the attack, but it was unable to determine the exact amount of money stole by the attackers.
Even if the bank managed to delay the withdrawal of the stolen funds, most of them are lost.
“During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible. At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank’s operations in the future in order to prevent new similar incidents,” said Olga Kolosova, Chairperson of the Management Board of PIR Bank LLC.
Forensics analysis of workstations and servers at the bank revealed that the attack was launched by the MoneyTaker hacker group. The hackers used specific tools and techniques that had been used earlier by MoneyTaker in previous attacks on financial institutions. The experts also noticed that the IP addresses of their C&C servers were the same used in previous attacks.
MoneyTaker is a cybercrime gang specialized in targeted attacks on financial institutions, in December 2017 Group-IB published a detailed report on its activity (MoneyTaker: 1.5 Years of Silent Operations). The group is focused on card processing and interbank transfer systems (AWS CBR and SWIFT).
MoneyTaker hacker group
The MoneyTaker group has been active at least since spring 2016 when they stole money from a U.S. bank after gaining access to the card processing system (FirstData’s STAR processing system). After that, the hackers went in the dark for almost 4 months and only attacked banks in Russia in September 2016.
Group-IB recorded 10 MoneyTaker attacks against organizations in the U.S., UK, and Russia. Since 2017, the group restricted the geography of the attacks to Russia and the U.S.
In 18, Group-IB tracked two MoneyTaker attacks in Russia.
“MoneyTaker has its own set of specific TTPs. The hackers try to go unnoticed, use ‘one-time’ infrastructure, ‘fileless’ software and carefully cover up traces of their presence. This involves specific usages of Metasploit and PowerShell Empire frameworks.” states Group-IB.
Back to the PIR Bank attack, Group-IB confirmed that the attack on PIR Bank started in late May 18. Hackers gained access to the bank by compromising router used by one of the bank’s regional branches.
“The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.” reads the press release published by Group-IB.
MoneyTaker group use PowerShell scripts to establish persistence in the banks’ systems and automate some stages of their attack. Once the crooks have hacked the bank’s main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank) to generate payment orders and send money in several tranches to mule accounts prepared in advance.
On the evening of July 4, bank IT staff discovered the unauthorized transactions with large sums, it quickly asked the regulator to block the AWS CBR digital signature keys, but it was not possible to stop the financial transfers in time.
Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs.
MoneyTaker hackers cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation, a technique already observed in other attacks.
“Moreover, the criminals left some so-called ‘reverse shells’, programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response this was detected by Group-IB employees and removed by the bank’s sysadmins.” added Group-IB.
“This is not the first successful attack on a Russian bank with money withdrawal since early 18,” says Valeriy Baulin, Head of Digital Forensics Lab Group-IB, “We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed. As for withdrawal schemes, each group specializing in targeted attacks – Cobalt, Silence and MoneyTaker (these have been the most active groups in 18) – have their own scheme depending on the amounts and cashout scenarios. We should understand that attacks on AWS CBR are difficult to implement and are not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind.”